5 min read

First-Party Data Targeting in a Privacy Law World

Chris Shuptrine
Chris Shuptrine
Updated on
October 26, 2021

Please note, we are not a law firm. Please view this as informational, not legal advice.

As you build your own ad platform, you’ll likely debate whether to enable first-party data targeting, whereby advertisers could target specific segments (based on user data you've collected, like past actions, demographics, interests, etc.).

Such targeting drives better performance for advertisers and can differentiate your offering — and yet, many publishers shy away from it. Why?

Sometimes this is due to limited engineering resources; or not having enough traffic to justify segmentation; or having limited access to first-party data (such as any digital-out-of-home screen).

But another reason is the fear of global privacy laws. Mishandling user-level data comes with business and financial risks. Avoiding first-party data entirely mitigates these concerns.

The good news is, it’s possible to incorporate first-party data targeting while complying with international laws. This article explores how exactly to do that.

What is first-party data, and how does it relate to my ad product?

First-party data refers to information that a company has collected directly about its customers or users. This data could include past user actions, demographics, and more, all tied to Personally Identifiable Information (PII) like IP address, a cookie ID, email address, and more.

LinkedIn, for example, ties a trove of data to each user — including job title, current company, college, etc. Amazon, meanwhile, knows past purchase history, and Facebook tracks what topics people interact with.

These brands monetize this data by allowing advertisers to create highly-specific segments to target. Salesforce will gladly pay premiums to target (1) anyone who is a ‘VP of Sales’ on LinkedIn and (2) those with “sales” as an interest on Facebook.

linkedin targeting
Facebook targeting example

Indeed, first-party data targeting is the main reason that walled ad gardens continue to see quarter-over-quarter growth, and it’s a feature you’ll eventually need to scale and differentiate your ad product.

What are global privacy laws?

We won’t go into each law here (we already have breakdowns of GDPR, CCPA, PDPA, and LGPD). At a high-level, these laws give citizens more control over how sites and apps use their PII. No longer does a website have free reign to track your IP address and then sell that info to a data broker; instead, they must now ask for permission before doing so.

global privacy laws

[Source: Secuvy](https://secuvy.ai/2020/05/02/global-privacy-laws/)

These laws are not everywhere, but they are growing in number. Here’s a visual breakdown of what countries currently have such regulations.

There are real consequences to violating these laws. With the GDPR alone, fines can be as high as 20M Euros or 4% of your yearly revenue (whichever is higher).

Do privacy laws allow for ad personalization using first-party data?

Yes. These laws don’t ban using first-party data entirely; they ban doing so without the individual’s consent. If you tell them how you will use their data — and they consent to it — you can engage in ad personalization using first-party data.

ebay consent
eBay's ad personalization consent prompt

One point of clarification is that the above refers to “opt-in” privacy laws, which are the bulk of global regulations. Some laws, on the other hand, are “opt-out”, in that you can use first-party data by default, but need to allow users a way to opt-out (such as an Opt-Out Button on your site’s footer).

This means you effectively have three buckets of global users:

  1. Those you need opt-in consent from before processing their first-party data (EU, Brazil, Thailand, etc.)
  2. Those whose data you can use by default, but must have a way to opt-out of it (California)
  3. Those whose data you can use by default, without needing an opt-out option

Should I ask everyone for opt-in consent?

In other words, should you treat everyone as #1? Asking for consent from all users simplifies the process (no need for country breakdowns) and future-proofs the system for new laws.

That said, the opposing argument is this limits your pool of first-party data (and potential revenue) without a legal requirement to do so.

Ultimately, the decision whether to prompt consent from everyone is up to you and your legal team.

When do I ask for consent?

Much has been written on this, such as this guide. From a technical perspective, you’ll use a consent management platform (CMP), which will be either homegrown or a third-party tool.

These consent prompts usually happen when a user registers or upon page/app load (such as the common “Accept Cookies” banner).

cmp prompt

To date, opt-in rates are higher than one might expect, with Quantcast claiming 90% and Purch at 70%.

quantcast consent management platform

Fortunately, as privacy laws have existed for years, you probably have some CMP in place already. Working with your marketing/legal teams to understand where/how consent is tracked is an important first step. That said, you cannot use past consent for new use cases: once you launch the ad platform, you will need to prompt consent for ad targeting, even if they previously provided consent.

What should my CMP ask for in respect to ad targeting?

Consent is not a blanket “yes” or “no”. You’ll need consent toggles for each data use case. As you incorporate personalized ad targeting, you’ll need to update your CMP to reflect this usage. Below is how Etsy’s CMP asks for ad personalization consent:

etsy data

There is no “one-size-fits-all” approach here. Ad platforms employ different messaging based on their reading of the laws. Below is another example, this one from Google:

google data

How do I connect my CMP to my ad server?

Your CMP should operate like this:

  1. It will prompt users for consent in locations you specify. For example, you may have it appear in France (GDPR), but not the United States (no opt-in law).
  2. It will track consent and, if given, will enable the tracking of PII and first-party data. You’ll store this information in a homegrown system or a third-party customer data platform (CDP). Alternatively, this info could be stored locally, such as within a browser cookie.
The logistics of tying your CMP with your ad system depends on what tools you use. Third-party tools should have instructions on how to do this, and if everything is homegrown, you’ll need to build this integration yourself.

What if my company doesn’t have a CMP in place?

If you don’t collect consent already, you’ll have to implement a CMP. This will increase project scope, but third-party tools like OneTrust make it relatively simple to add one.

What about opt-out honoring?

Your company likely has an opt-out link on your site already (such as a "Do Not Sell" button). If the person updates their CMP settings or submits a manual request, you’ll need to exclude them from future ad personalization.

target data

Do I need to update any legal documents?

Yes. If you use cookies/PII in a new way, you’ll need to update your cookie and privacy policies.

For reference, here are the cookie policies of the major ad platforms: Google, Facebook, Twitter, eBay, Etsy, Spotify, Amazon, LinkedIn.

And here are their privacy policies: Google, Facebook, Twitter, eBay, Etsy, Spotify, Amazon, LinkedIn.

We recommend speaking with your legal team to understand exactly what changes are needed.

Can I share or sell user-level data?

If the person provides consent to do so, then you can share their user-level data with a third-party. That said, your proprietary data is valuable — why give that away? Moreover, nothing highlights your commitment to user privacy like never sharing or selling PII.

Do I need consent to personalize non-ad content using first-party data?

Most sites and apps employ personalization of some type, such as:

  1. A social network tracking what posts you like and putting related content in your feed
  2. A retail site placing a “You May Also Like” box containing products similar to what you’ve bought
  3. A free app promoting their paid plan after you’ve logged in six times

target ads

While these cases technically involve first-party data, they are not “ads” in the traditional sense (we refer to them as internal promotions). As such, is consent needed for this use case?

Many companies argue such non-ad personalization falls under “legitimate interest”, a concept in most privacy laws. The idea here is that when users expect your product to be personalized, then you don’t need consent.

legitimate interest
Source: Termly

A TikTok user, for example, may be upset if they repeatedly like cooking videos, but then their feed never contains any cooking content. Fortunately, TikTok does indeed track behavior and tailors content as needed.

By personalizing feeds based on past actions (aka first-party data), TikTok is delivering the tailored experience their users are expecting. This use of data, then, likely falls under the legitimate interest clause.

Compare this instead to TikTok selling that person’s mobile ID to AllRecipes, who may be interested in retargeting this home chef across the web. In no situation could one argue such data usage benefits the customer.

Ultimately, the decision whether to ask for consent for non-ad personalization falls upon you and your legal team.

Where does Apple’s App Tracking Transparency framework fit in?

Apple’s App Tracking Transparency (ATT) is a privacy protection framework that makes it easier for iOS users to protect how their data gets used by app developers.

“Tracking” here refers to linking user data with a third-party for the purpose of advertising, such as retargeting, data selling, and attribution.

If you plan on doing any of the above, you have to request opt-in consent via a prompt upon app load (see below). This ATT consent box has no relation with your CMP prompt; consent from one cannot be applied to the other.

apple att
Source: FastCompany

If your ad platform neither shares nor ingests third-party data, then Apple’s documentation indicates you do not need ATT consent. This is true even if you use first-party data for ad personalization.

You will need consent, however, if you do any of the following:

  1. Augment user-level data with third-party info
  2. Share user IDs (IDFAs, email addresses, etc) with anyone
  3. Allow advertisers to upload a list of IDs to target
  4. Offer advertisers a conversion/retargeting pixel to place on their site, which sends data back to you

Is there a way to test whether I should pursue adding first-party data targeting?

An important question when building any new ad feature is, “Will this be profitable?”

With first-party data targeting, you may look at the work involved and conclude any incremental revenue is not worth the effort. This may be true, but, more likely, it has the potential to scale and differentiate your platform.

It’s possible to verify that statement, though, with less effort than you may think. Rather than launching a global test, you could first focus on a specific country without a privacy law.

By targeting just these users (based on IP address), you could easily spin up a test without implementing a CMP, allowing you to validate hypotheses like:

  1. Do advertisers want to target specific segments?
  2. Are they willing to pay premiums to do so?
  3. Does user-level targeting produce better performance (cost per click, cost per action, etc.)?
  4. Can you use this data to optimize the ad platform on the backend (such as adding frequency capping to increase click-through-rates)?

Here’s a breakdown of privacy laws by country to identify what location could work for you. One to look into is the United States, which has no country-wide opt-out law. That said, multiple states do have opt-out privacy laws, so you’d just want to exclude these states (or comply with them).

us privacy laws
Source: NYTimes

After this test, if you identify there is indeed a revenue potential, you could then invest the resources to build an ad platform that complies with all international privacy laws.

How can I easily integrate first-party data into my ad product?

If you’re looking to integrate first-party data into your ad platform, we’d love to chat.

Companies around the world (such as Edmunds, Motley Fool Global, and Slickdeals) have used Kevel’s ad APIs to launch ad programs that honor consent while also monetizing their highly-valuable first-party data.

We’ll talk you through what’s allowed, what best practices are, and how to get going in just weeks.

All ad tech in your inbox

Subscribe to our newsletter to stay up to date with the latest news.